Policy Intelligence tools

Large organizations often have complicated Identity and Access Management (IAM) policies. Policy Intelligence tools help you understand and manage your policies to proactively improve your security configuration.

The following sections explain what you can do with Policy Intelligence tools.

Enforce least privilege

Role recommendations help you enforce the principle of least privilege by ensuring that principals have only the permissions that they actually need. Each role recommendation suggests that you remove or replace a role that gives your principals excess permissions.

Recommender identifies excess permissions using policy insights. Policy insights are ML-based findings about permission usage in your project, folder, or organization.

Some recommendations are also associated with lateral movement insights. These insights identify roles that allow service accounts in one project to impersonate service accounts in another project.

To learn more about role recommendations, including how they are generated, see Enforce least privilege with role recommendations.

Simulate policy changes

Policy Simulator lets you see how an IAM policy change might impact a principal's access before you commit to making the change. You can use Policy Simulator ensure that the changes you're making won't cause a principal to lose access that they need.

To find out how an IAM policy change might impact a principal's access, Policy Simulator determines which access attempts from the last 90 days have different results under the proposed policy and the current policy. Then, it reports these results as a list of access changes.

To learn more about Policy Simulator, see Understanding Policy Simulator.

Understand your IAM policies

There are several Policy Intelligence tools that help you understand what access your IAM policies grant.

Analyze access

Cloud Asset Inventory provides the Policy Analyzer, which helps you find out what principals have access to which Google Cloud resources.

Typical questions the Policy Analyzer can help you answer are "Who can access this IAM service account?" and "Who can read data in this BigQuery dataset that contains personally identifiable information (PII)?"

The Policy Analyzer allows you to perform access administration, provides access visibility, and can also be used for audit and compliance-related tasks.

To learn how to use Policy Analyzer, see Analyzing IAM policies.

Troubleshoot access

Policy Troubleshooter makes it easier to understand why a user has access to a resource or doesn't have permission to call an API. Given an email, resource, and permission, Policy Troubleshooter examines all IAM policies that apply to the resource. It then reveals whether the principal's roles include the permission on that resource and, if so, which policies bind the principal to those roles.

To learn how to use Policy Troubleshooter, see Troubleshooting access.

Comparison of Policy Analyzer and Policy Troubleshooter

Both Policy Analyzer and Policy Troubleshooter help you answer questions about your IAM policies. However, the types of questions they help you answer are different.

Policy Analyzer helps you answer "who," "what," and "which" questions, like the following:

  • "Who has any access to this IAM service account?"
  • "What roles and permissions does this user have on this BigQuery dataset?"
  • "Which BigQuery datasets does this user have permission to read?"

In contrast, Policy Troubleshooter helps you answer "why" questions, like the following:

  • "Why does this user have the bigquery.datasets.create permission on this BigQuery dataset?"
  • "Why isn't this user able to view the IAM policy of this BigQuery dataset?"

What's next